2

I am using fwbuilder and have tried setting up rules that both allow lo interface and source ip 127.0.0.1, as follows:

$IPTABLES -A INPUT -i lo   -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT -o lo   -m state --state NEW  -j ACCEPT

...

$IPTABLES -A INPUT  -s 127.0.0.1   -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT  -s 127.0.0.1   -m state --state NEW  -j ACCEPT

The connection appears to work fine, but then why do I see several of these errors in /var/log/syslog ??

RULE 4 -- DENY IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=43254 DF PROTO=TCP SPT=47654 DPT=4949 WINDOW=256 RES=0x00 ACK PSH FIN URGP=0

UPDATE: output of iptables -L -v

Yoav Aner
  • 531
  • 2
  • 6
  • 13
  • It might be worth using `tcpdump` to capture an entire connection with that blocked packet at the end of it. The way it got to a state where the firewall would block that packet might be enlightening. – Ladadadada Dec 22 '12 at 15:36

3 Answers3

1

Can you show all your rules? For solve your problem, just make rules:

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
sub
  • 18
  • 2
  • I've updated my question and added a link to the iptables rules – Yoav Aner Dec 22 '12 at 16:47
  • I was hoping for a more fine-grained method of allowing (stateful) access on the `lo` interface. However, this seems like the easiest way to avoid those false alarms. In case anybody's interested - in fwbuilder you can mark a rule as a `stateless rule` (in rule options). And it would produce a similar iptables rules as @sub specified. – Yoav Aner Dec 24 '12 at 11:46
0

You are only allowing -m state --state NEW. Assuming you also have a RELATED, ESTABLISHED rule somewhere, you will see a few packet denies like above, with ACK PSH FIN or some other non-new flags that the kernel state tracker doesn't recognize as a part of an established or related connection. Usually this happens shortly after you restart iptables and thus reload the connection tracking modules.

mricon
  • 1,154
  • 7
  • 9
  • yes, I do have a rule allowing all `RELATED, ESTABLISHED` states. I'm seeing this in the log every 5 minutes or so, which is how frequently munin runs locally (and successfully connects). Any idea how to get rid of this error / allow these `ACK PSH FIN`s ?? – Yoav Aner Dec 22 '12 at 16:42
0

You deny INVALID and UNTRACKED packets on your loopback interface.
This can cause icmp packtes amongst others get dropped.

Check out http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#STATEMACHINE and man iptables

rhasti
  • 477
  • 3
  • 9